Chinese Hackers Linked to Internet Explorer Breach

An elite freelance hacking team in China appears to be behind a recent security breach of Microsoft 's Internet Explorer, three U.S. security firms said, offering a new glimpse into the capabilities of Chinese hackers.

The attack has caused particular concern within the security community because it pointed out a hole in one of the most-used pieces of software in the world. Microsoft’s Web browser comes standard on machines running its Windows operating system.

The hackers appeared to target Japanese organizations by hitting a weakness in Internet Explorer, according to researchers at FireEye, a Milpitas, Calif.-based cybersecurity firm.

Microsoft reported the security hole last week, but revealed little about who was behind the hack or who it targeted. Citing a trail of digital evidence, some security researchers have linked the attack to one of the most skilled hacking groups in China.

The group appears to act as “hackers for hire,” often on behalf of the Chinese government, a spokeswoman at Mandiant said, citing research from the cybersecurity company’s intelligence group.

It is not clear what exactly the hackers sought or managed to steal from Japan.

The Chinese government said it was being criticized “irresponsibly.”

“China is a victim of cyberattacks and is among the countries that suffer the most from them,” a written statement from China’s Ministry of Foreign Affairs said. “The Chinese government takes the cybersecurity issue seriously, and objects to any form of cyberattack. We have drafted related regulations to prohibit and crack down on cyberattacks.”

Several American security researchers said they long have tracked the group by following digital fingerprints hackers leave behind. The process of attributing attacks isn’t exact and it remains difficult to link activity on the Internet to a real person behind a keyboard.

But evidence collected by three major security firms links the group to some of the most high-profile hacks in recent history. Those includes breaches of Google and also Bit9, a Massachusetts-based security company used by the U.S. government and large companies to determine whether software is cleared to run on their networks. (A Google spokeswoman pointed to a previous blog post acknowledging it being hacked by a Chinese group. A request for comment from Bit9 was not immediately returned.)

The group consists of 50-100 hackers, according to a recent report from Symantec. Meantime, researchers at Mandiant and Crowdstrike, who have tracked the group independently, say it appears to operate with at least tacit approval of the Chinese government.

“There is no question they’re working on behalf of the Chinese government,” said Dmitri Alperovitch, CTO of Crowdstrike, who has been tracking the group for years. It is possible the hackers act like digital defense contractors for China, Alperovitch said

In addition to the group’s sophistication, its target selection tends to match targets that would be of interest to China, the researchers said.

More than half of their targets were in the U.S., with another 15% in Taiwan and 9% China itself, according to a report from Symantec. (China has a history of spying on domestic dissidents, and the hackers were linked to a 2009 attempt to hack into the Gmail accounts of human rights activists.)

Some security experts say the group appears to act on a for-hire basis. A researcher at Mandiant said the group recently targeted the video game industry — not a sector with apparent strategic importance to the Chinese government.

“We believe that they work with at least tacit government approval,” the researcher said.

The hacking group has also targeted financial services companies, said Alex Cox, head of intelligence research at RSA Security, a division of EMC.

Cox cautioned it is not 100% clear the Chinese group is behind all of the attacks “unless you’re the Navy SEAL that kicks down the door and catches the guy with his hands on the keyboard.”

Regardless, the danger is that new cyberweapons, like this one, can be mimicked by other hackers once released into the digital wild, security researchers said.

Microsoft disclosed a potential problem with Explorer last week, and quickly posted temporary security workarounds on its website

But the company has not yet offered a formal patch. This means that while some users may be safe, others may remain at risk, security researchers said.

“Customers should apply the Fix it or follow the workaround listed in the advisory to help protect them against potential attacks while we continue working on a security update,” said Microsoft spokesman Dustin Childs, referencing the company’s “Fix It” term for temporary security patches.